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Abstract 

This paper defines CLTLBCD), an extension of PLTLB 
( PLTL with both past and future operators ) augmented with 
atomic formulae built over a constraint system V. The pa- 
per introduces suitable restrictions and assumptions that 
make the satisfiability problem decidable in many cases, al- 
though the problem is undecidable in the general case. De- 
cidability is shown for a large class of constraint systems, 
and an encoding into Boolean logic is defined. This paves 
the way for applying existing SMT-solvers for checking the 
Bounded Reachability problem, as shown by various exper- 
imental results. 



1 Introduction 

Many extensions of temporal logic or automata have 
been proposed with the goal of verifying infinite-state sys- 
tems. Among the many extensions of Propositional Linear 
Temporal Logic (PLTL), there have been proposals of al- 
lowing formulae which may include arithmetic constraints 
belonging to a specific constraint system (|6l [10| . These 
logics are well-suited to define properties of infinite-state 
systems, but, unfortunately for the aim of automatic verifi- 
cation, previous results have also shown the undecidability 
of the satisfiability problem, at least in the general case fT2]| . 
Here we define a more general logic, called CLTLB(I>), 
which is an extension of PLTLB (PLTL with Both future 
and past operators), allowing arithmetic constraints belong- 
ing to a generic constraint system. To cope with undecid- 
ability, already known for the less general case above, we 
introduce suitable assumptions concerning the structure of 
models, but without any syntactic restriction on formulae. 
Models only consider partial valuations of arithmetic vari- 



ables: the satisfiability of CLTLB(2?) then turns to be decid- 
able, provided that the constraint system V has a decidable 
decision procedure. We then define the Bounded Reachabil- 
ity Problem (BRP) for CLTLB(2?), which can be decided by 
showing its equivalence to the satisfiability of CLTLB(X') 
over partial valuations. We realized a Bounded Reacha- 
bility Checker by using SMT-solvers natively implement- 
ing decision procedures for Quantifier-Free Integer Dif- 
ference Logic with Uninterpreted Functions (QF-UFIDL) 
and Quantifier-Free Linear Integer Arithmetic with Uninter- 
preted Functions (QF-UFLIA). Experimental results using 
the Zot toolkit ||T8ll20l show that, the greater expressiveness 
of CLTLB(2?) notwithstanding, the encoding of the propo- 
sitional part is considerably faster and with smaller memory 
footprint than existing encodings of PLTL based on SAT. 

The paper is structured as follows. Section |2] relates 
on the state of the art in extending PLTL with constraint 
systems. Section [3] introduces CLTLB(£)), while Section 
|4] presents various decidability and undecidability results. 
Section |5] introduces and solves the BRP. Section |6] defines 
an encoding of CLTLB(X') into logics suitable for SMT- 
based verification. Section |7] relates on the performance 
of experimental results of the original SAT-based plugins 
of Zot with the SMT-based ones on a number of examples 
taken from different application domains. Finally, Section[8] 
draws a few conclusions and outlines future research. 

2 State of the art 

Among the various proposals of extension of LTL, CLTL 
(Counter LTL) has been defined in |6|. CLTL is, essentially, 
Propositional LTL with future operators (PLTL), with in ad- 
dition terms that are arithmetic constraints in Integer Dif- 
ference Logic (DL). However, by reducing the recurrence 
problem for Minsky machines to the satisfiability of a CLTL 



formula, it is shown that the logic is undecidable, hence un- 
suitable for automatic verification. 

A generalization of CLTL is CLTLiV) HO), where the 
arithmetic constraints belong to a general constraint system 
v. If V has an intrinsic counting mechanism, i.e., it con- 
tains equality and a binary injective relation R such that its 
graph is a DAG, then CLTL(I?) is undecidable. Indeed, a 
relation satisfying the hypothesis of the theorem general- 
izes the "successor" function and can be used to define con- 
straints of the form y = z+1. lfT2l proves the undecidability 
of the satisfiability problem of CLTLj,j(DL), which is the re- 
striction of CLTL(DL) to formulae with at most m variables 
and of depth less or equal to I. CLTLj„(DL) is shown to be 
S}-hard for m > 1 and I > 1, while CLTLj(DL) is shown 
to be PSPACE-complete. 

For practical model-checking, a large variety of infinite- 
state systems can be effectively represented by counters sys- 
tems. In this case, interesting results on verifying safety 
and reachability properties can be obtained by constraining 
the control graph of the counters system to be flat |7j|5l, 
i.e., no control state occours in more than one simple cycle. 
Properties are defined by means of Presburger arithmetic 
constraints but they are not considered in the framework of 
any temporal logic, for instance, like CLTL or CLTL(I?) 
described above. In ITTI . authors extend some results about 
flat systems to more general classes of infinite-state systems 
in which some first-order extensions of CTL* have decid- 
able model-checking. 

To cope with undecidability, |8| describes a reduction 
of infinite BMC to a satisfiability problem of Boolean con- 
straints formulae. By translating LTL formulae into a cor- 
responding Biichi automaton, a BMC problem is reduced 
to the satisfiability of a mixed arithmetic-Boolean formula. 
The authors also give a proof of soundness and complete- 
ness for the U-free fragment of the logic. In this case, the 
BMC problem is solved by means of a loop-free encoding, 
since U-free formulae can always be translated into an au- 
tomaton over finite words accepting a prefix of all infinite 
paths which satisfy it. In all other cases, generic LTL for- 
mulae are translated into a corresponding Biichi automa- 
ton with acceptance conditions involving an implicit peri- 
odicity constraint over counters. However, this translation 
does not work when counters do not behave periodically. 
For instance, consider a transition system defining a non- 
periodic, strictly-increasing counter x starting at 0. Property 
TU{x < 0) does not hold for this system, but the Biichi 
automaton corresponding to its negation imposes a periodic 
constraint over the sequence of values of x, which cannot be 
satisfied. Hence, using the translation outlined above, ver- 
ification of formula TU(a; < 0) for the strictly-increasing 
counter improperly yields true. 

We define a complementary, purely descriptive, ap- 
proach which solves this problem. It is also aimed at solv- 



ing reachability problems for infinite-state systems whose 
propositional, possibly periodic, behaviors induce a finite 
prefix of values of variables and satisfying a CLTLB(P) 
specification, instead of LTL properties just over arithmetic 
constraints. 

3 A Temporal Logic over Constraint Systems 

This section presents an extension to Kamp's fTSl 
PLTLB, by allowing formulae over a constraint system. As 
suggested in ([61, and unlike the approach of ||9l, the propo- 
sitional variables of this logic are Boolean terms or atomic 
arithmetic constraints. 

Let V he a set of variables; a constraint system is a pair 
2? = {D,Il) where I? is a specific domain of interpretation 
for variables and constants and 11 is a family of relations 
on elements of D. An atomic V-constraint is a term of the 
form i?"(a;i, . . . , a;„), where i?" is an n-ary relation on D 
and variables. A P-valuation is a mapping 

V : V D, i.e., an assignment of a value in D to each vari- 
able. A constraint is satisfied by a D-valuation v, written 

V \= R{xi, . . . ,Xn),if {v{xi), . . . ,v{Xn)) G R. 

Let AP be a set of atomic propositions and V = {D,Il) 
a constraint system. CLTLB(I?) is defined as an extension 
of PLTLB, by combining Boolean atoms with arithmetic 
temporal terms defined in V. The resulting logic is actually 
equivalent to the quantifier-free fragment of FOLTL l,13l 
over signature {11, AP}. The syntax of CLTLBCD) is de- 
fined as follows: 



p I Ri^i 



,ipn) I A (/i I -.0 I 



[ X(j)\Y(t)\ I (j)S(j) 
if :— X \ Xiy9 I Yip 

where p G AP, a; G F, X and Y are the usual "next" 
and "previous" operators, U and S are the usual "until" and 
"since" operators, i? G 11, and are shorthands for j 
applications of X and Y (e.g., X^ = XX). Each formula 
ip is called an arithmetic temporal term (a.t.t.). Its depth \ip\ 
is the total amount of temporal shift needed in evaluating ip: 

\x\=0, 
\X{cp)\^\ip\ + l, 
\Yiip)\^\ip\-l. 

Let be a CLTLB(X') formula, x a variable and the 
set of all a.t.t.'s occurring in in which x appears. We de- 
fine the "look-forwards" [0] ^ and "look-backwards" [0J ^ 
of (j) relatively to x as: 

\(l)]x = max {0, \(pi\} 

[(l)\x = min {0, \(pi\} 



The above definitions may naturally be extended to the 
set V of all variables (by letting [(/)] = maxa;gy{[(/)]j;}, 
= min^gv{[0jj;}). Hence, {[4>\) is the largest 
(smallest) depth of all the a.t.t.'s of (p, representing the 
length of the future (past) segment needed to evaluate (/> in 
the current instant. 

The semantics of a formula (p of CLTLB(I?) is defined 
w.r.t. a linear time structure tt„ = {S, sq, I, tt, a, L), where 
5 is a set of states, sq is the initial state, I : {j \ [cj)] < j < 
— 1} X V — > Z?isan assignment, tt e sqS'^ is an infinite 
path, (TiNxy— j-Disa sequence of P-valuations and 
L : S ^ 2^^ is a labeling function. From now on, the set 
of all sequences of 2?- valuations is denoted by E. Function 
/ defines the valuation of variables for each time instant in 
{j I \_4>\ ^ j < for time instants before 0; this 

way cr can be extended to a.t.t.'s. Indeed, if (p is an a.t.t., 
X is the variable in (^, i G N and a^{x) is a shorthand for 
a{i, x), then: 



I{i+\Lp\,x), ifi + \(p\<0. 



The semantics of a CLTLB(P) formula at instant i G N 
over a linear structure tt^ is recursively defined by means of 
a satisfaction relation \= as follows, for every formulae cj), ip 
and for every a.t.t. (p: 

■k], 1= p <^ p e L(sj) for p G AP 
((T^+l'^il(a;^J,...,a'+l'^"l(a;^J) GiZ 
ttI (f) h'ip ^ ttI 1= and tt^ |= t/j 

3 j > i : TT^ H V' A 

30<j<i:ni\^'(pA 
TT^ 1= V j < 71 < i 

where x^p. is the variable that appears in (pi. The seman- 
tics of (j> is well defined, as any valuation cr* is defined 
for all i > [(f>\, because of assignment /. A formula 
4> G CLTLB(r') is satisfiable if there exists a linear time 
structure tt^ = (5, sq, /, tt, cr, L) such that ttJJ |= (in 
which case tTct is a model of 0). Without loss of gen- 
erality, one may assume that all formulae are in positive 
normal form, where negation may only occur in front of 
atomic constraints. In fact, by introducing as primitive 
the connective V, the dual operators "release" R, "trig- 
ger" T and "previous" Z defined as: (/)R'0 = ^{-^(pU^ip), 
(j>Tip = -1(^08-17/;) and Z(f> = -iY^0, and by applying De 




Morgan's rules, every CLTLB formula can be rewritten into 
positive normal form. 

4 (Un)decidability of CLTLB(P) 

As a first result, by exploiting well-know properties 
of PLTLB, we prove the equivalence of CLTLB(P) to 
CLTL(I?) for a quantifier-free constraint system V, w.rt. 
initial equivalence. Then, as a corollary of results described 
in Section|2l we obtain the undecidability of CLTLB(I)) for 
a large class of constraint systems. 

In the following, as customary, we denote with tt a struc- 
ture for a PLTLB formula. 

Definition 1. Two PLTLB formulae (j>, tp are globally equiv- 
alent, written (f> =g tp, if for all linear-time structures tt it 
is TT* 1= <^ tt' 1= V for all i G N. Two PLTLB for- 
mulae (p, ip are initially equivalent, written (p =i 7p, when 
tt" 1= (/) 4=^> 7r° ^ 41 for all linear-time structures tt. 

In ifTSI it is shown that any PLTLB formula is initially 
equivalent to a PLTL formula, while the two logics are not 
globally equivalent (see |221 for details). In order to extend 
this result to the constrained case, we need to introduce new 
temporal operators. CLTLB(P), as defined in Section[3j in- 
cludes the "non-strict" until (resp. since) operator, in which 
formula (p\]ip (resp. (p^'ip) holds in an instant i when ip 
holds in i, and only if (p holds starting from i. The "strict" 
version of until U^, instead, does not require this: 



h cp\J>i, ^ 



< h0 <n< j 



and similarly for the strict since S^. It is well known that 
the following global equivalences hold for any (p,'^p^. 



_L U>( 
Yep =g^S>q 



X(P =g 



(PViP 
(PS^P 



Eg V V ((/)A(/)U>V'); 
E<,^V((/.A(/.S>^). 



Using the previous equivalences, Gabbay llT4ll proved that 
any PLTLB formula is globally equivalent to a separated 
PLTLB formula, i.e. a Boolean combination of formulae 
containing either (U> -formulae) or S> (S^-formulae), 
but not both. Since this theorem preserves all semantic 
properties, i.e., it is actually a rewriting syntactic procedure 
over formulae, it extends also to the case of CLTLB(2?), 
provided that each arithmetic constraint is accounted as a 
propositional letter. In particular, a.t.t.'s Xx/Ya; are not 
rewritten using strict-untilZ-since operators, but are consid- 
ered as is, since their semantics depends on the underlying 
sequence a as defined before. Then, we need to show that 
-formulae can be translated into initially equivalent U^- 
formulae. More precisely, we prove the following: 



Theorem 2. Any CLTLBCD) formula is initially equivalent 
to a CLTL(T>) formula, while the two logics are not globally 
equivalent. 

Proof sketch. We first prove that CLTL(P) is not globally 
equivalent to CLTLB(I)) by providing a counterexample. 
Formula TSA, where A G AP, was shown in fTT] to have 
no globally equivalent PLTL formula. Now, suppose is 
a CLTL(D) formula globaUy equivalent to CLTLB(P) for- 
mula TSj4. Then, for the above reason, it should constrain 
at least one of its arithmetic variables, by a non trivial arith- 
metic formula. Since TSA does not constrain any arith- 
metic variables, some of its models cannot be models of 4>. 

To prove the initial equivalence we suppose each formula 
is written using only U> and S> operators, using the equiv- 
alences above. From Gabbay's Separation Theorem such a 
formula can be rewritten to a separated CLTLB(I?) formula 
which is a Boolean combination of S>- and U^-formulae. 
The proof is concluded by noticing that any -formula is 
trivially initially equivalent to false. □ 

Corollary 3. Let T) = (^jll) be a constraint system 
where 11 contains equality and a binary relation R such 
that {D, R) is a DAG; then, satisfiability of CLTLBCD) is 
undecidable. 

In the following, in the case of a decidable constraint 
system D, we prove the decidability of the satisfiability and 
the model checking problems for CLTLB(2?) formulae for 
partial 2?-valuations, in which that for all computations the 
value of counters will be considered only for a fixed num- 
ber of steps. The counting mechanism of D is not altered 
along finite paths by means of constraints imposing peri- 
odicity of values of variables and all relations are still con- 
sidered over infinite, possibly periodic, paths. This allows 
us to define a complementary approach to the one of [SJ, 
aimed at bounded satisfiability checking 1 19| and BMC of 
infinite-state systems. With this assumption, any periodic 
behavior which induces a finite, even periodic, prefix of 
values of variables ruled by the counting mechanism and 
satisfying a CLTLB(2?) formula, can be represented. An 
arithmetic variable varying over a bounded set may still be 
represented by its Boolean representation and be part of the 
propositional infinite paths. It is worth noticing that, since 
we limit the counting mechanism along finite paths, the par- 
tial model is an under-approximation, due to the intrinsic 
undecidability of the general problem. 

Definition 4. Let 4> be a CLTLB(D) formula and fc 6 N, 
then a k-partial D-valuation au for cj) is a relation in {i 6 
^ I * ^ L'/'J } X V X D with the condition that far each 
variable x occurring in (p, its restriction over {« G Z | 
[(f'lx < i < k + [01x1 X {x} X D is a function from 
{i e Z \ < i < k + \(t)^x} X {x} to D. Then, is 
the set of all k-partial D-valuations for (p. 



Informally, dk. defines a unique value for each counter 
X from up to the bound k by means of boundaries con- 
ditions in the intervals {z G Z | [^J^ < i < 0} and 
{iGZ|fc<i<fc + [<?!>]i}, and it accounts for re- 
lations over infinite, even periodic, paths, after k. For the 
case of fc-partial 2?-valuation one can define a semantics of 
CLTLB(X') formulae. It coincides with the semantics of the 
(full) 2?-valuations except for the case of arithmetic rela- 
tions R; namely: 

Vyi, ...,yn€D s.t. VI < j < n, (i + \Lpj\,x^.,yj) G cJk 
then (j/i,...,?/„) G R, 

(1) 

where x^. is the variable that appears in tpj. If (jk is a 
function, this semantics reduces exactly to the previous one. 
The satisfiability problem for a CLTLB(2?) formula over 
k-partial 2?- valuations is that of looking for a (partial) linear 
time structure tTo-s. = (S*, sq, tt, CTfe, L) such that tt^^ ^ 0. It 
is worth noticing that the initialization function / is implicit 
in the definition of ak ■ 

Theorem 5. The satisfiability of a CLTLB(D) formula (p 
over k-partial D-valuations is decidable when D is decid- 
able. 

Proof sketch. Thanks to the initial equivalence of 
CLTLB(2?) and CLTLF(P) formulae (Theorem EJ, we 
assume without loss of generality that (p G CLTLF(2?); 
moreover, we assume that a.t.t.'s do not appear negated 
(i.e., negated a.t.t.'s are transformed into the positive form 
of the complement relation) and that constraints in (p are 
in disjunctive normal form (i.e., disjunction of conjunction 
of propositions and a.t.t.'s). Let C be the set containing all 
conjunctions of such terms, and let A^, be the correspond- 
ing Biichi automaton whose alphabet is A = V{C). The 
satisfiability of (p is reduced to the emptiness of L{A,jj). In 
fact, if L{A^) is empty, then (p is unsatisfiable. If L{A^) 
is not empty, then A(j, has one or more strongly connected 
components that are reachable from an initial state and 
contain a final state. Hence, it is enough to check if there 
exists a path of length k from the initial state (which 
also considers the initial values of the variables) that can 
be extended to one of the above components and which 
satisfies each constraint. This is decidable, because the 
consistency problem of V is decidable. Finally, it can be 
shown that the finite sequence of variable assignments 
appearing in such a path of length k can be extended to a 
fc-partial 2?-valuation on which (p is satisfied, for example 
by using the empty relation outside those instants in which 
the valuation is required to be a function. □ 

Section |6] computes an estimation of the complexity of 
problem for a large class of constraint system. 



{p. «}, {r, q} 



{p. r, q} 



Figure 1. Biichi automaton for {p v r)Uq, with 
p :— X = Yy +1, r:=y = j: + 2 and q '■= y < 
X'^x Ax < Xx. 



{P, r, q} {p} {r, q} 




Figure 2. Constraint graph of {p, r, q}{p}{r, q}. 



As an illustrative example, consider the satisfiability of 
the formula (j> :^ {p V rjXJq where p := x = Yy + 1, 
r :— y = X + 2 and q '■= y < X^x A x < Xx 
and let be fc 3. The emptiness problem reduces to 
finding a consistent assignment to x and y along a path 
of length 3 over the Biichi automaton Ac/, on the alpha- 
bet A = {0, {p}, {q}, {r}, {p, r}, {p, q}, {r, q}, {p, q, r}} 
shown in Fig. [T| Actually, we need to check the consis- 
tency for at least one prefix of length 3 of L{A,f,). In Fig. 
|2]we show the corresponding graph of the constraints to be 
solved for the word {p, r, q}{p}{p, q}. A dashed line means 
that the constraint in the label does not hold, numbers in the 
circles are possible assignments to the variables, while a 
blank means that the corresponding value is irrelevant, and 
can be left undefined. 

So far, we neglected any initialization condition, solving 
a general satisfiability problem. If a formula is shown to be 
unsatisfiable, then there is no prefix of an infinite model tTo-, 
of length equal to k, satisfying the formula. 

5 Bounded Reachability Problem 

This section studies the bounded satisfiability of 
CLTLB(X') formulae by using a finite representation of in- 
finite models. It is then shown that this entails the satis- 
fiability of the same formula with respect to k-partial V- 
valuations. Finally, the section introduces the Bounded (ex- 
istential) Reachability Problem (BRP) for Kripke structures, 
showing that BRP also admits a complete procedure. 

First, we need to define a bounded semantics, i.e., a se- 
mantics of a formula on finite structures. Let fc > 0, let 



be a CLTLB(2:') formula and let ct^ : {i G Z | \(f)\x < i < 
k + \(f>]x} X {x} T), for each x ^ V, called a local 
sequence, be a finite sequence of assignements to variables 
in V . Informally, sequence is not only defined between 
instants and fc, but it is bordered by two segments defin- 
ing variable values before and after fc, as shown also in 
Fig. |2] This is necessary to correctly define the value of 
all a.t.t's in the interval from to fc; in fact, the evaluation 
of an a.t.t. may involve also a bounded number of instants 
before instant or after instant fc. Let tt e 5*+, called a fi- 
nite path. A finite path is cyclic if it is of the form usvs, for 
some s G 5, w, w G S**. A cyclic finite path can be consid- 
ered a finite representation of an infinite one, e.g., u{sv)^ . 
If TT is a cyclic path usvs, then a bounded semantics for </) 
over TT and local assignment is defined as in the case of 
a fc-partial P-valuation of Section |4] by replacing with 
CTfc and TT with u{sv)'^ in If tt is not cyclic, instead, the 
semantics of each relation R is, for < i < fc; 

(a;+l^^l(a;^J,...,a;+l'^"l(x^„))Gi? 

The bounded semantics of temporal operators is the same 
as the one in [3J, e.g.; 



4 hfc ^R-V- ^ 



3 i < j < fc : 7ri^ \^ A 
3i<j<k:7rl^ hfc ^ A 



4^ hfc X0 ^ < ^ + 1 < fc A 4+^ h ^ 

By using the bounded semantics, the following theorem 
holds: 

Theorem 6. For every ClSrhB(D) fon^iula cj), if, there exist 
k > 0, a finite path tt of length k and a local assignment 
ak such that tt^^ 4' ^hen (p is satisfiable over k-partial 
V-valuations. 

Proof sketch. The statement is proven by means of a com- 
pletion of the sequence ak satisfying property ([TJ. A legal 
completion may also involve undefined values: constraints 
encompassed in the loop of tt^^ can be suitably bordered. 
In particular, if tt = uu" and I is the length of v, for each 
variable x such that > 0, Vc G D, then Vh > 0, 

(fc + 1 + hl,x,c) ^ ak- By exploiting the results in O 
and a syntactic rewriting of each V constraint with a propo- 
sitional letter, which results in a formula 0', from 0, sat- 
isfied by a propositional model tt', then tt' 4>' implies 
tt' h 0'- □ 

The above concepts can be generalized and extended in 
the case of 2?-Kripke structures, as suggested in ifTOl . 



Definition 7. A 2?-Kripke structure is a tuple M — 
{S, T, C, A) with a finite set of states S, a transition rela- 
tion T S y. S between states, a set C ofD relations on 
a.t.t.'s and a labeling function A : — > 2^^ x C. 

Given a P-Kripke structure M, a CLTLB(I?) formula cj) 
and an initial state so, the existential model checking (MC) 
problem amounts to checking if there exists a linear struc- 
ture TTa such that TTa- \= 4>. Bccause of the undecidability 
results of SectionlH the existential MC problem must be re- 
defined for k-partial 2?-valuations in order to have a decid- 
able under-approximation. Thanks to the well-known rep- 
resentation of Kripke structures through LTL formulae, and 
by considering a.t.t.'s in C as atomic elements, it is possible 
to obtain a CLTLB(I?) formula xm defining the "proposi- 
tional" description of the language of P-Kripke structure 
M. The k-partial V-evaluation model checking problem 
is defined as the satisfiability of xm A over A; -partial I?- 
evaluations. 

Theorem|6]may be strengthened for P-Kripke structures 
when (/) is a reachability formula. Formula </) is a reach- 
ability formula when it is of the form Ft/j, where t/i is a 
CLTLB(r') formula without temporal operators (which are 
allowed only in a.t.t.). Then, the Bounded Reachability 
Problem (BRP) for M and is defined as the existence of 
/c > 0, a finite path tt of length k and a local assignment dk 
such that TTj^ l^fc xm A (j). 

Corollary 8. For every reachability formula (j) in 
CLTLB(P) and for every V-Kripke structure M, the BRP 
is equivalent to the k-partial V-evaluation MC problem. 

6 Encoding of the Bounded Reachability 
Problem 

In this section the BRP is encoded as the satisfiability 
of a quantifier-free formula in the theory EUF U P (QF- 
UFI?), where EUF is the theory of Equality and Uninter- 
preted Functions, provided that the set D includes a copy of 
N and that EUF U 2? is consistent. The last condition is eas- 
ily verified in the case of a union of two consistent, disjoint, 
stably infinite theories (as is the case for EUF and arith- 
metic). In 11] a similar encoding is described for the case 
of Integer Difference Logic (DL) constraints: in that case it 
results to be more succinct and expressive than the Boolean 
one: lengthy propositional constraints are substituted by 
more concise DL constraints and arithmetic (infinite) do- 
mains do not require an explicit finite representation. These 
facts, considering also that the satisfiability problem for the 
quantifier-free fragment of EUF U DL (QF-UFIDL) has the 
same complexity of SAT, make this approach particularly 
efficient, as demonstrated by the tests outlined in Section]?] 

Under the above assumption, the proposed encoding is 
an effective proof of the decidability of the BRP over k- 



partial P- valuations. In the general case an estimation of 
the complexity of the satisfiability problem (for quantifier- 
free formulae) can be performed via the Nelson-Oppen The- 
orem iflTl as shown in Corollary ]9] 

As discussed before, the BMC problem amounts to look- 
ing for a finite representation of infinite (possibly periodic) 
paths. The Boolean approach Q encodes finite paths by 
means of 2fc+3 propositional variables, while the same tem- 
poral behavior can be defined by means of one QF-UF2? for- 
mula involving only one loop-selecting variable loop E D: 

k 

f\ {{loop = i) ^ L{si-i) = L{sk)) ■ 

i=l 

If the value i of variable loop is between 1 and k, then 
there exists a loop, and it starts at i; notice that the formula 
loop = i is well defined since D contains a copy of N. 

To encode a.t.t.'s, an arithmetic formula function, i.e., an 
uninterpreted function r : D — > 13, is associated with each 
arithmetic temporal subterm of <&. Let r be such a sub- 
term, then the arithmetic formula function associated with 
it (denoted by the same name but written in boldface), is 
recursively defined w.r.t. the sequence of valuations a as: 
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< i < fc 
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T{i) = a{i — 
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If D includes a copy of Z, this semantics is well-defined 
between and k thanks to the initialization function /, oth- 
erwise we need to consider a shifted function W such that 
= a{i- [(p\,-)- 
The propositional encoding is based on the one presented 
in |]4l, which is modified to take also into account relations 
over a.t.t.'s. In the case of the Boolean encoding, the truth 
value of a PLTLB formula $ is defined w.rt. the truth value 
of its subformulae. For each subformula t, a set of Boolean 
variables {ti}o<i<fc+i is associated with it: if ti holds, then 
subformula t holds at instant i. Instant fc + 1 is introduced 
to more easily represent the instant in which the periodic 
behavior starts. The truth value of a CLTLB(2?) formula $ 
is defined in a similar way. The QF-UFP encoding, how- 
ever, associates with each subformula 9 a formula predicate 
that is a unary uninterpreted predicate (denoted by the same 
name but written in boldface) 6 e 'P{D). When the sub- 
formula 9 holds at instant i then 0{i) holds. As the length 
of paths is fixed to fc + 1 and all paths start from 0, formula 
predicates are actually subsets of {0, . . . , fc + 1}. Let 9 be 
a subformula of ai, . . . q:„ be a.t.t.'s and R be an n-ary 



relation in V; formula predicate is recursively defined as: 
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Temporal subformulae constraints define the basic tem- 
poral behavior of future and past operators, by using their 
traditional fixpoint characterizations: 
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The encoding for the past operators is analogous to that 
for future operators except for the instant 0, which must be 
treated separately (see lU). 

Last state constraints define an equivalence between 
truth at point fc + 1 and that at the point indicated by the 
loop variable, since the instant A; + 1 is representative of 
the instant loop along periodic paths. Otherwise, for non- 
periodic paths, truth values in /c+ 1 are trivially false. These 
constraints have a similar structure to the corresponding 
Boolean ones, but here they are defined by only one con- 
straint, for each subformula 9 of $, w.r.t. the variable loop: 

(Aliiioop - z) ^ {Oik + 1) ^ em) A 
l{Ali^{ioop = i))^{^e{k + i))). 

Note that if a loop does not exist then the fixpoint semantics 
of R is exactly the one defined over finite acyclic paths in 
Section |5] To correctly define the semantics of U and R, 
their eventualities have to be accounted for Briefly, if 
holds at i, then eventually holds in some j > i; if 0R0 
does not hold at i, then t/j eventually does not hold in some 
j > i. Along finite paths of length k, eventualities must 
hold between and fc. If a loop exists, an eventuality may 
hold within the loop. The original Boolean encoding intro- 
duces fc propositional variables for each subformula 6' of $ 
of the form (pUt/j or cfiR^ (one for each 1 < i < k), which 
represent the eventuality of ip implicit in the formula, as first 
defined in H. Instead, in the QF-UFP encoding, only one 
variable G D is introduced for each occurring in a 
subformula (pXJip or (j)R.tp. 
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The complete encoding of $ consists of the logical con- 
junction of all constraints above, together with $ evaluated 
at the first instant along the time structure. 

If m is the total number of subformulae and n is the total 
number of temporal operators U and R occurring in $, then 
the Boolean encoding requires (2fc + 3) + (fc + 2)m + (fc + 
l)n = 0{k{m + n)) fresh propositional variables. The QF- 
UFV encoding requires only ti + 1 integer variables (loop 
and j^) and m unary predicates (one for each subformula). 

As previously anticipated, if 2? is a consistent, stably in- 
finite theory, (j) is a formula of length n and T{n) is the 
complexity of the satisfiability problem in V then, by the 
Nelson-Oppen Theorem, the satisfiability of a CLTLB(X') 
formula (p over fc-partial 2?-valuations can be solved in 
0(2"' (nfc log (nfc) + T{nk)))\ moreover, if 2? is convex 
it can be solved in 0{n^{nk log (nfc) + T{nk))). 

Corollary 9. The satisfiability of a CLTLB(T>) formula over 
k-partial V-valuations is NP-complete when T> is DL, P 
when V is RDL (Real DL) and 4-EXPTIME when V is 
LIA (Linear Integer Arithmetic). 

7 Experimental Results 

The encoding presented in Section|6]for CLTLB(DL) has 
been implemented as a plugin of the Zot toofl This im- 
plementation exploits SMT solvers as verification engines, 
and in particular it is based on the SMT-LIB [21 1 to achieve 
independence from the particular SMT solver use (i. The 
Zot plugin has been used to carry out a number of experi- 
ments on a variety of examples, old and new. For the sake 
of brevity, we do not report here the full experimental dat£0, 
and we only briefly summarize them in an informal way. 

We carried out two kinds of experiments. First, we used 
the new encoding to perform BMC on a set of previously 
defined PLTLB specifications, to compare the performances 
of the new Zot plugin w.r.t. the existing SAT-based one pre- 
sented in [20|. The SMT-based encoding showed consider- 
able improvements in the vast majority of experiments, for 
both of the SMT solvers used. The recorded speedup (com- 
puted as the ratio Tsat / Ts mt) was always substantial, and 
in many cases it was more than tenfold (often considerably 
more than that). For example, we repeated the experiments 
of |j2| with the new encoding, and the average speedup in the 
overall verification time was around 2.4 with Z3, and 21.4 
with Yices; we point out that the gains in performance were 
particularly significant for the most complex specifications. 

In the second set of experiments we exploited also the 
new features of CLTLB(DL) w.r.t. PLTLTB, and we used 

'Zot is available at home.dei.polimi.it/pradeUa. 

-As SMT solvers we used both Yices (yices.csl.sri.com) and Z3 
{research.microsoft.com/en-m/um/redmond/projects/z3). 
^The data are available at home.dei.polimi.it/hersani. 



the bounded reachability results presented in Section |5] to 
analyze some relevant aspects of non-trivial applications 
based on the Service-Oriented paradigm |1|. On exam- 
ples that fall in the range of properties expressible through 
both CLTLB(DL) and PLTLB (e.g., those that involve only 
bounded domains), the performances of the SMT-based ver- 
ification are, again, an order of magnitude better than the 
SAT-based one (the average performance speedup over such 
properties was 55 with Z3 and 7.4 with Yices). 

8 Conclusions and Future Work 

In this paper, we introduced the logic CLTLB(X'), an ex- 
tension of PLTLB allowing as subformulae arithmetic con- 
straints belonging to a generic constraint system V. We in- 
troduced suitable assumptions concerning the structure of 
models, to make satisfiability of CLTLB(2?) decidable, pro- 
vided that V has, in turn, a decidable decision procedure. 
In this case, the Bounded Reachability Problem (BRP) for 
CLTLB(I?) formulae can be solved by means of automatic 
software verification tools. We built a Bounded Reacha- 
bility Checker by using SMT-solvers which natively imple- 
ment decision procedures for QF-UFP when T) is DL or 
LIA, with very encouraging experimental results. 

Future work will compare the new arithmetic-based en- 
coding with existing Boolean ones by means of a compre- 
hensive set of tests; we also intend to define new exten- 
sions representing infinite behaviors of variables and search 
for suitable classes of formulae inducing actual w-periodic 
models. 
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